Cameras
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only camera skill is coherent and user-driven, but it handles sensitive camera feeds, credentials, cloud vision options, and monitoring examples that users should configure carefully.
This skill appears safe to install as instruction-only guidance, but treat it as a sensitive camera-access helper. Do not paste reusable passwords or tokens into shared chats, prefer environment variables or scoped accounts, confirm before sending snapshots to cloud vision APIs, and add explicit time limits for any continuous monitoring or alerting workflow.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these commands are run, the agent or user may capture images from a local webcam or connected camera.
The docs show raw local tool invocation to capture camera images. This is central to the skill’s purpose and user-directed, but it can access camera hardware and write image files.
cmd = [ 'ffmpeg', '-y', '-f', 'avfoundation', ... '-frames:v', '1', ... output ] subprocess.run(cmd, capture_output=True)
Only run capture commands after confirming the intended device, output path, and user consent.
Camera URLs, passwords, and tokens could expose private camera feeds if pasted into logs, shell history, or shared conversations.
The skill expects users to provide camera access credentials. This is purpose-aligned, but those credentials can grant access to security cameras or home-security systems.
User provides camera credentials (RTSP URLs, passwords)
Prefer environment variables or a secure secret store, avoid sharing full camera URLs with embedded passwords, and use least-privileged camera accounts where possible.
Snapshots from private or security cameras may be transmitted to third-party cloud services for analysis.
The processing guide describes sending captured camera images to external vision providers such as Anthropic, Google Cloud Vision, or AWS Rekognition. This is disclosed and purpose-aligned, but it moves private imagery outside the local camera environment.
The simplest approach: capture image, send to vision model.
Confirm before sending camera images to cloud services, use local processing when privacy is important, and avoid uploading images containing sensitive people, locations, or documents unless necessary.
A monitoring setup could continue watching cameras or sending alerts longer than intended.
The docs include continuous monitoring and persistent MQTT subscription examples. They are coherent with security monitoring, but can keep operating indefinitely if implemented without explicit bounds.
while True:
frame = capture_snapshot(camera_url)
...
client.loop_forever()Set clear monitoring windows, stop conditions, notification limits, and storage-retention rules before using continuous monitoring patterns.